Close
Enter your
text here

Electronic Discovery

Court Rejects Carpenter Argument for Third Party Subpoena of Google Subscriber Info: eDiscovery Case Law

In U.S. v. Therrien, No. 2:18-cr-00085 (D. Vt. Mar. 13, 2019), Vermont District Judge Christina Reiss denied the defendant’s motion to suppress evidence obtained via a subpoena of Google for subscriber information, rejecting the defendant’s argument that the United States Supreme Court decision in Carpenter v. US forecloses the government’s ability to obtain this type of data without a warrant.

Case Background

In this case related to a one count Indictment against the defendant that he knowingly transported child pornography, an order for eighty-five photograph prints was placed with an online company in February 2018.  An employee of the online company’s outsource print provider informed the Federal Bureau of Investigations that it was concerned that some of the photographs may contain child pornography. Law enforcement subsequently discovered an e-mail address that was associated with the order.

A grand jury subpoena was issued in March 2018 to obtain subscriber information from Google pertaining to the account associated with the email address. In response, Google produced subscriber information, services utilized by the account, the date the account was created, the date and time of the last login, and the IP addresses associated with the account from December 6, 2017 through March 15, 2018. Asserting that law enforcement violated the Fourth Amendment in obtaining records from Google without a warrant, the defendant sought suppression of all evidence obtained pursuant to the grand jury subpoena, citing Carpenter v. US.

Judge’s Ruling

While noting that, in Carpenter, the Supreme Court held that cell-site location information (“CSLI”) was not subject to the third-party doctrine, Judge Reiss also noted that SCOTUS reasoned that “the notion that an individual has a reduced expectation of privacy in information knowingly shared with another” and that “reasoned that because there was no way for individuals possessing cell phones to avoid generating CSLI and because cell phones are now effectively a necessity of daily life, it was unreasonable to conclude that an individual voluntarily exposed CSLI information to a third party.”

Judge Reiss also observed that “Since Carpenter, courts have held that IP address information and similar information still fell ‘comfortably within the scope of the third-party doctrine’ because ‘[t]hey had no bearing on any person’s day-to-day movement’ and ‘[the defendant] lacked a reasonable expectation of privacy in that information.’”  Judge Reis cited several cases, including United States v. Rosenow, 2018 WL 6064949, at * 11 (S.D. Cal. Nov. 20, 2018), which said “The Court concludes that Defendant had no reasonable expectation of privacy in the subscriber information and the IP log-in information Defendant voluntarily provided to the online service providers in order to establish and maintain his account.”

As a result, Judge Reiss ruled as follows in denying the defendant’s motion to suppress the evidence obtained:

“In this case, law enforcement obtained information that an account holder voluntarily turned over to Google. This information is squarely within the third-party doctrine and requires a different result than in Carpenter. As a result, Defendant did not possess a reasonable expectation of privacy in the information obtained by law enforcement.”

So, what do you think?  Should people have a reasonable expectation of privacy for their email accounts in third party subpoenas?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Fired IT Guy Deleted 23 of His Ex-Employer’s AWS Servers: Cybersecurity Trends

When it comes to data breaches and other cybersecurity threats, many people discuss the threats from outside hackers.  But, it’s the internal employees who can do as much, if not a lot more, damage to an organization’s IT infrastructure.  Especially if the internal employee has been canned and is bent on getting revenge.

An article in Naked Security (Sacked IT guy annihilates 23 of his ex-employer’s AWS servers, written by Lisa Vaas) reports that the UK’s Thames Valley Police announced on Monday that 36-year-old Steffan Needham, of Bury, Greater Manchester, was jailed for two years at Reading Crown Court following a nine-day trial.  Needham pleaded not guilty to two charges of the Computer Misuse Act – one count of unauthorized access to computer material and one count of unauthorized modification of computer material – but was convicted in January 2019.

As the Mirror reported during Needham’s January trial, the IT worker was sacked after a month of lousy performance working at a digital marketing and software company called Voova in 2016.

In the days after he got fired, Needham got busy: he used the stolen login credentials to get into the computer account of a former colleague – Andy “Speedy” Gonzalez – and then began fiddling with the account settings. Next, he began deleting Voova’s AWS servers – 23 servers of data in all, which related to clients of the company.

The company lost big contracts with transport companies as a result. Police say that the wreckage caused an estimated loss of £500,000 (about $700,000 at the time). The company reportedly was never able to claw back the deleted data.  And, it took months to track down the culprit. Needham was finally arrested in March 2017, when he was working for a devops company in Manchester.

Prosecutor Richard Moss noted during the trial that security experts agreed that Voova could have done a better job at security.  Most notable was their failure to implement two-factor authentication.

According to the 2017 Verizon Data Breach Investigations Report (DBIR) (covered by us here), 81 percent of hacking-related breaches used stolen passwords and/or weak passwords.  But, according to this infographic from Symantec, 80 percent of data breaches could have been eliminated with the use of two-factor authentication.  With two-factor authentication, a stolen password is useless if the thief doesn’t also have the device where the authorization code is being sent.  So, you should implement two-factor authentication wherever possible – Voova sure wishes they did.

So, what do you think?  Do you use two-factor authentication to secure your technology solutions?  As always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Today is the Day to Learn about Blockchain and How it Impacts Legal Technology: eDiscovery Webcasts

If you think you’re hearing more and more about blockchain and bitcoin, you’re probably right. Blockchain is even being discussed as having potential application in legal technology and electronic discovery. But, what exactly is it? How does it work? And, how do you need to be prepared to address it as a legal professional?  Today’s webcast that will answer those questions – and more!

Today at noon CST (1:00pm EST, 10:00am PST), CloudNine will conduct the webcast Understanding Blockchain and its Impact on Legal Technology. In this one-hour webcast that’s CLE-approved in selected states, we will discuss, define and describe blockchain and how it can apply to legal technology and eDiscovery today and in the future. Topics include:

  • History of Blockchain and Bitcoin
  • Defining Key Terms
  • How Blockchain Works
  • Advantages and Challenges of Blockchain
  • Smart Contracts and Other Use Cases for Blockchain
  • Impacts of Blockchain on Legal Technology and eDiscovery
  • Is Blockchain Really as Secure as People Think?
  • Future of Blockchain
  • Resources for More Info

As always, I’ll be presenting the webcast, along with Tom O’Connor, whose white paper of the same name was published on this blog a few weeks ago.  To register for it, click here.  Even if you can’t make it, go ahead and register to get a link to the slides and to the recording of the webcast (if you want to check it out later).  If you want to learn about blockchain and how it can affect your job as a legal professional, this webcast is for you!

So, what do you think?  Do you know the ins and outs of blockchain or even how it works?  If not, please join us!  If so, please join us anyway!  And, as always, please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Court Orders Defendant to Respond to Interrogatories to Identify Number of Phone Calls it Made: eDiscovery Case Law

In Franklin v. Ocwen Loan Serv., LLC, No. 18-cv-03333-SI (N.D. Cal. Mar. 12, 2019), California District Judge Susan Illston ordered the defendant to respond to interrogatories, “with, at minimum, information regarding the total number of phone calls defendant made during the relevant period to California residents (including any account associated with a California address and any account containing a California area code)” and ordered the parties to stipulate to a method for extrapolating the total number of recorded phone calls defendant made to California residents during the relevant period.

Case Background

In this case brought by the plaintiff, individually and on behalf of all others similarly situated, for illegal recording of cellular phone conversations pursuant to California Penal Code § 632.7, the plaintiff requested “information related to the number of California residents whose conversations with Defendant were recorded.”  The defendant objected that the request was “unduly burdensome and disproportionate to the needs of the case because responding to them would take thousand[s] or hundreds of thousands of hours of work”, requiring them “to examine each account with a California address or area code, determine if any calls were made on that account, attempt to locate those calls and any recordings of those calls, and then listen to the recordings to determine whether the person being called answered the call and was recorded rather than a message being left on voicemail or someone else answering the call.”  Instead, the defendant proposed that the parties stipulate that it called and recorded a minimum number of persons in California, such as “over 100 persons.”

Judge’s Ruling

Referencing Fed. R. Civ. P. 26(b)(1), Judge Illston stated “The Court agrees with plaintiff that information regarding the number of recorded calls defendant made is relevant to his motion for class certification, going not only to numerosity but also to the question of whether ‘a class action is superior to other available methods for fairly and efficiently adjudicating the controversy.’…It is also relevant, among other things, to the question of damages, particularly in light of the Court’s ruling that ‘plaintiff may seek a class-wide award of statutory damages in an amount up to $5,000 per class member[.]’…It will not suffice for defendant to stipulate to an arbitrary number such as ‘over 100 persons.’”

Both parties cited the case Ronquillo-Griffin v. Transunion Rental Screening Sols., Inc., No. 17-cv-129-JM (BLM), 2018 WL 325051 (S.D. Cal. Jan. 8, 2018), where the district court denied the plaintiff’s motion to compel production of the actual recordings defendant made with the potential class members.  However, Judge Illston stated: “Here, plaintiff is not seeking the recordings themselves but requests the total ‘number of California residents whose conversations with Defendant were recorded.’…This is consistent with what the Ronquillo-Griffin court ordered.”

As a result, Judge Illston ordered the defendant to respond to the plaintiff’s interrogatories, “with, at minimum, information regarding the total number of phone calls defendant made during the relevant period to California residents (including any account associated with a California address and any account containing a California area code)” and ordered the parties to stipulate to a method for extrapolating the total number of recorded phone calls defendant made to California residents during the relevant period – all by March 26, 2019.  Hey, that’s today!

So, what do you think?  Was this the right decision or should the judge have accepted the defendant’s proportionality argument?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

About Half of Surveyed Companies Haven’t Started Preparing for CCPA: Data Privacy Trends

Does this sound familiar?  Last week at the University of Florida E-Discovery Conference, I talked about the California Consumer Protection Act (CCPA) as one of the things that organizations need to be prepared to address these days as part of their compliance obligations.  Sounds like a lot of organizations haven’t gotten around to that just yet.

In an article in Legaltech® News (Almost Half of Companies Haven’t Started CCPA Compliance: Survey, written by Frank Ready), a recent survey of 250 executives and managers at U.S. technology, manufacturing, financial services, utilities and health care companies finds that 44 percent of companies that will impacted by the CCPA haven’t yet taken steps towards compliance.  Only 14 percent of respondents are fully CCPA compliant at this point.

The state’s forthcoming privacy regulation, which is scheduled to take effect next January 1st, empowers Californians with more control over the way their data is collected, shared or viewed by U.S. companies on a daily basis. According to the survey, a large majority of respondents, 71 percent, expect to spend at least $100,000 on compliance efforts. But consulting attorneys may not wind up seeing as much of that money as one might think.

The survey was conducted by Dimensional Research on behalf of the privacy compliance company TrustArc. Chris Bable, CEO of TrustArc, attributed some of the compliance delay to companies that have never had to wrap their heads around these issues before. While the European Union’s General Data Protection Regulation (GDPR) impacted only U.S. companies with business interests in Europe, the CCPA hits a little closer to home.

“One of the pieces that I had underestimated was truly the amount of companies that were not impacted by GDPR, so CCPA is their foray into doing this,” Babel said.

“The legal fees are going to play a role, but I don’t think the legal fee is going to be the largest chunk of the expense. It will really be the in-house kind of grind that needs to be done in order for the compliance steps to be in place,” said Jarno Vanto, a shareholder at Polsinelli.

The “grind” he’s referring to includes extensive work around understanding what data an organization holds and mapping the flow of that data. It also includes checking in with third party vendors and partners to determine what information they have access to as well.

So, how are companies planning on making the leap before the deadline? According to the survey, 72 percent of respondents plan on investing in some sort of technology to help smooth the way.  That doesn’t surprise me – as I discussed in Florida last week, Information Governance (IG) policies are vital to organizations’ ability to meet compliance obligations, but it’s going to take a combination of IG policies and technology for organizations to really get a handle on their data.

So, what do you think?  Are you surprised that so many companies haven’t begun to address CCPA yet?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Judge’s Facebook Friendship with Party Causes Decision to Be Reversed and Remanded to Different Judge: eDiscovery Case Law

In the case In Re the Paternity of B.J.M., Appeal No. 2017AP2132 (Wis. App. Feb. 20, 2019), the Court of Appeals of Wisconsin, concluding that “the circuit court’s undisclosed ESM connection with a current litigant in this case {by accepting a Facebook “friend” request from the litigant} created a great risk of actual bias, resulting in the appearance of partiality”, reversed and remanded the case for further proceedings before a different judge.

Case Background

In this case where the parties entered into an order granting parties Timothy Miller and Angela Carroll joint legal custody and shared physical placement of a minor child in 2011, Carroll filed a motion to modify the court order on the basis that Miller had engaged in a pattern of domestic abuse against Carroll. After the parties had submitted their written arguments, the judge deciding the motion – Judge Michael Bitney – accepted Carroll’s friend request on Facebook. Subsequently, Carroll “liked” eighteen of Judge Bitney’s Facebook posts and commented on two of his posts – none of which related to the pending litigation.  Judge Bitney did not “like” or comment on any of Carroll’s posts, nor did he reply to any of her comments on his posts; however, Carroll’s other activities (“liking” multiple posts from other parties and “sharing” one third-party photograph) did appear on Judge Bitney’s “newsfeed.” One of these shared stories related to domestic violence.

On July 14, 2017, Judge Bitney issued a decision granting Carroll’s modification motion. After the decision, Miller learned that Judge Bitney and Carroll were Facebook friends during the period prior to making his ruling, and moved to reconsider the judge’s decision.  At a hearing on Miller’s motion, Judge Bitney confirmed that he had accepted Carroll’s friend request after the custody hearing and before rendering his written decision. However, he concluded he was not subjectively biased by accepting Carroll’s “friend” request, because he already “had decided how I was going to rule, even though it hadn’t been reduced to writing.” Further, he concluded that “[e]ven given the timing of” his and Carroll’s Facebook connection, the circumstances did not “rise[] to the level of objective bias. . . .” Consequently, he denied Miller’s motion. Miller appealed the decision.

Court’s Ruling

In an opinion written by Justice J. Seidl, he noted that “This case involves what appears to be an issue of first impression in Wisconsin: a claim of judicial bias arising from a judge’s use of electronic social media (ESM)” and stated that “we need not determine whether a bright-line rule prohibiting the judicial use of ESM is appropriate or necessary”.  He also referenced a New Mexico supreme court in Thomas as “particularly instructive”, which said:

“While we make no bright-line ban prohibiting judicial use of social media, we caution that ‘friending,’ online postings, and other activity can easily be misconstrued and create an appearance of impropriety… A judge’s online ‘friendships,’ just like a judge’s real-life friendships, must be treated with a great deal of care.”

The opinion also stated that “the time when Judge Bitney and Carroll became Facebook ‘friends’ would cause a reasonable person to question the judge’s partiality. Although Judge Bitney apparently had thousands of Facebook ‘friends,’ Carroll was not simply one of the many people who ‘friended’ him prior to this litigation. Rather, Carroll was a current litigant who reached out to Judge Bitney and requested to become his Facebook ‘friend’ after testifying at a contested hearing, at which Judge Bitney was the sole decision-maker. Judge Bitney then took the affirmative step to accept this ‘friend’ request before issuing his decision in this case…This timing creates a great risk of actual bias and a resulting appearance of partiality because, even assuming that a Facebook ‘friendship’ does not denote the type of relationship traditionally associated with the term ‘friendship,’ it is unquestionably evidence of some type of affirmative social connection…Carroll’s choice to send a ‘friend’ request to Judge Bitney, combined with Judge Bitney’s choice to accept that request before issuing his decision, conveys the impression that Carroll was in a special position to influence Judge Bitney’s ultimate decision – a position not available to individuals that he had not ‘friended,’ such as Miller.”

As a result, the court reversed and remanded the case for further proceedings before a different judge.

So, what do you think?  Should judges accepting friend requests from litigants disqualify them from ruling in their cases?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Hat tip to Sharon Nelson’s Ride the Lightning blog for coverage of this case.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Ignoring Internet of Things Devices Could Be IdIoTic: eDiscovery Trends

See what I did there?  ;o)  While I’m speaking at the University of Florida E-Discovery Conference today, let’s take a look at a couple of articles related to Internet of Things (IoT) devices that you need to know from an eDiscovery standpoint.

In an article in Legaltech News (E-Discovery’s New Challenge: Not Ignoring Internet of Things Data, written by Victoria Hudgins), the author notes that, in addition to smartphones, items such as Fitbits, Amazon’s Alexa, self-vacuuming Roombas and internet-connected cars also fall under the IoT umbrella of items that are connected to the internet and collect and share data.

Dana Conneally, managing partner at QDiscovery and Evidox Corp., noted IoT devices may have multiple data repositories, which creates more data for attorneys to review.

“You want to know what’s on the hard drive of the device, but they are typically connected to the internet and cloud. … Now you have three different rabbit holes you are trying to chase down at the same time,” Conneally said.

Such devices represent a new source of evidence for a lawyer’s clients, but how to find value in such data can be difficult.

“Attorneys, a lot of the time, haven’t been trained how to do that,” said Cozen O’Connor eDiscovery and practice advisory services group chairman Dave Walton. “What are the types of evidence out there? We need to know to win in this environment.”

Walton said attorneys are “overwhelmed” by IoT devices in e-discovery, and they usually reason that it’s not practical to assess such devices. However, Walton suggested lawyers should always evaluate if their client’s legal matter warrants obtaining information from an IoT device and make proportional requests for the data, an approach that also governs other types of discoverable content.

“You have to be proportional about how you go about the evidence. The more you know about the evidence, the better you know about alternatives” and efficient ways to obtain the evidence, Walton said.

Smartphones aside, while I have seen several criminal cases involving IoT devices (including this one, this one and this one), I haven’t too many civil cases involving IoT devices (yet).  But, I expect to see more over time.

But, that’s not all!  Earlier this month, the Cloud Security Alliance (CSA) announced the release of the CSA IoT Controls Framework, its first such framework for IoT which introduces the base-level security controls required to mitigate many of the risks associated with an IoT system operating in a range of threat environments. Created by the CSA IoT Working Group, the new Framework together with its companion piece, the Guide to the CSA Internet of Things (IoT) Controls Framework, provide organizations with the context in which to evaluate and implement an enterprise IoT system that incorporates multiple types of connected devices, cloud services, and networking technologies.

Utilizing the Framework, user owners will assign system classification based on the value of the data being stored and processed and the potential impact of various types of physical security threats. Regardless of the value assigned, the Framework has utility across numerous IoT domains from systems processing only “low-value” data with limited impact potential, to highly sensitive systems that support critical services.

The CSA IoT Working Group develops frameworks, processes and best-known methods for securing these connected systems. Further, it addresses topics including data privacy, fog computing, smart cities and more. Individuals interested in becoming involved in future IoT research and initiatives are invited to visit the Internet of Things Working Group join page.

Hat tip to Rob Robinson’s Complex Discovery blog for the info on the CSA IoT Controls Framework.  Here’s the press release with more information.  Dealing with IoT devices is inevitable, so don’t be idIoTic and get informed!  ;o)

So, what do you think?  Have you had to deal with IoT devices in your eDiscovery projects?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

Tomorrow is the U-Fla E-Discovery Conference!: eDiscovery Best Practices

Usually, I remind you the day of a conference about it, but this one is big enough that I want to give you more time to register – at least for the livestream.  Believe it or not, tomorrow is the seventh annual University of Florida E-Discovery Conference.  And, as usual, the panel of speakers is an absolute who’s who in eDiscovery.

The conference focus this year is effectively managing discovery from the opposition. As they state on the site: “The opposition often holds the keys to the case. How can you make sure you get the documents you are entitled to? How can you assure that the opposition is doing the best job identifying, collecting, searching and producing requested documents.”

The conference is tomorrow from 8am to 6pm ET.  And, again this year, U-Fla will also be hosting CareerFest the day before (which is today!) at noon ET.

As you can always expect from the U-Fla conference, there are a veritable plethora of experts, including Craig Ball, George Socha, Aaron Crews, Scott Milner, Kelly Twigger, Tessa Jacobs, David Horrigan, Canaan Himmelbaum, Suzanne Clark, Mike Dalewitz, Mike Quartararo, and Ian Campbell.  And, a bunch of distinguished federal and state judges, including U.S. Magistrate Judges William Matthewman, Mac McCoy, Patricia Barksdale, and Gary Jones and retired Florida Circuit Court Judge Ralph Artigliere.

I will be there again as well, presenting in the E-Discovery Nuts and Bolts session.  The topic is Why Waiting Until the Case is Filed May Now be Too Late for Discovery!

I’ll be discussing the drivers and challenges (such as #MeToo, growing data privacy concerns with GDPR and the pending California Privacy Act) facing organizations today to understand their data better to avoid litigation in the first place and discuss where discovery is heading in the future.  Expect a lot of interesting (if not sobering) stats!

From what I understand, unless you’re a student, the conference is sold out in person!  (Maybe you’d better act earlier next time if you want to attend in person!)  But, livestream attendance is still available – and it’s still only $99 for a whole day of CLE-accredited education from a who’s who of eDiscovery experts.  And, it’s free to university and college faculty, professional staff, judicial officials, clerks, and employees of government bodies and agencies.  To register for livestream attendance, click here.

So, what do you think?  Are you going to attend the conference in person or via livestream?  There’s still time to register!  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

According to Survey, Difficulty Getting Budget is the Top Legal Tech Struggle for GCs: eDiscovery Trends

According a new survey from Clyde & Co and Winmark, the number one reason that General Counsel (GCs) struggle with legal tech adoption and implementation is ‘difficulty in getting budget‘.  But, don’t blame the board for that.  ;o)

According to Artificial Lawyer (‘Difficulty Getting Budget’ No 1 Reason GCs Struggle With Legal Tech), 55 percent of the inhouse lawyers identified ‘difficulty in getting budget‘ as a challenge, which was the most of any challenges identified.  Here is the complete list of challenges and percentages for each:

  • Difficulty getting budget: 55 percent
  • Issues with legacy systems: 45 percent
  • Deciding what to invest in: 37 percent
  • Lack of time: 31 percent
  • Tech not meeting expectations: 25 percent
  • Lack of knowledge: 24 percent
  • Implementation overruns: 20 percent
  • Legal framework for tech not complete: 18 percent
  • Resistance to change from the board: 10 percent

So, over half of the GCs indicate that it’s difficult to get the budget for technology, but only 10% indicate that the board is resistant to change.  Sounds to me like it’s not so much the board holding GCs back as it’s demonstrating return on investment (ROI) on the tech purchase that’s the stumbling block.  Maybe.

The entire 40-page report is available and can be downloaded from here – it has various findings from GCs and board directors regarding risk landscape and responsibility, technology innovation and risk and the role of the GC.  For example, despite the high perceived risk of cyber attack (75 percent from GCs, 79 percent from board members), 42 percent of GCs and 37 percent of board directors do not have a plan in place to address those attacks.

I should note that, when downloading the report yesterday, I received an odd error on the screen that seemed to indicate that it didn’t accept my inputs, but a link to the report was still emailed to me.  Be patient.  :o)

So, what do you think?  Is budget the biggest challenge for GCs with regard to technology?  Please share any comments you might have or if you’d like to know more about a particular topic.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.

In Decision That Sounds the “Death Knell” for Fifth Amendment Protection, Defendant Ordered to Provide Cell Phone Password: eDiscovery Case Law

In Commonwealth v. Jones, SJC-12564 (Mass. Mar. 6, 2019), the Supreme Judicial Court of Massachusetts reversed a lower court judge’s denial of the Commonwealth’s renewed Gelfgatt motion (where the act of entering the password would not amount to self-incrimination because the defendant’s knowledge of the password was already known to the Commonwealth, and was therefore a “foregone conclusion” under the Fifth Amendment and art. 12 of the Massachusetts Declaration of Rights), and the court remanded the case to the Superior Court for entry of an order compelling the defendant to enter the password into the cell phone at issue in the case.

Case Background

In this case involving allegations that the defendant was trafficking a person for sexual servitude, the Commonwealth of Massachusetts seized a cell phone from the defendant that it believed contained material and inculpatory evidence, but was unable to access the phone’s contents because they were protected by a passcode.  The Commonwealth sought to compel the defendant to decrypt the cell phone by filing a motion for an order requiring the defendant to produce a personal identification number access code in the Superior Court.

The central legal issue concerned whether compelling the defendant to enter the password to the cell phone would violate his privilege against self-incrimination guaranteed by both the Fifth Amendment and art. 12.  The Commonwealth argued that under the decision in Commonwealth v. Gelfgatt, 468 Mass. 512, 11 N.E.3d 605 (2014), the act of entering the password would not amount to self-incrimination because the defendant’s knowledge of the password was already known to the Commonwealth, and was therefore a “foregone conclusion” under the Fifth Amendment and art. 12. Following a hearing, a judge denied the Commonwealth’s motion, concluding that the Commonwealth had not proved that the defendant’s knowledge of the password was a foregone conclusion under the Fifth Amendment.

Several months later, the Commonwealth renewed its motion and included additional factual information that it had not set forth in its initial motion. The judge denied the renewed motion, noting that because the additional information was known or reasonably available to the Commonwealth when the initial motion was filed, he was “not inclined” to consider the renewed motion under the Massachusetts Rules of Criminal Procedure.  The Commonwealth then filed a petition for relief in the county court, and the single justice reserved and reported the case to the full court. The single justice asked the parties to address three specific issues, in addition to any other questions they thought relevant:

  1. What is the burden of proof that the Commonwealth bears on a motion like this in order to establish a “foregone conclusion,” as that term is used in Commonwealth v. Gelfgatt?
  2. Did the Commonwealth meet its burden of proof in this case?
  3. When a judge denies a ‘Gelfgatt’ motion filed by the Commonwealth and the Commonwealth thereafter renews its motion and provides additional supporting information that it had not provided in support of the motion initially, is a judge acting on the renewed motion first required to find that the additional information was not known or reasonably available to the Commonwealth when the earlier motion was filed before considering the additional information?

Court’s Ruling

In an opinion written by Justice J. Kafker, with regard to question 1, he wrote that: “we conclude that when the Commonwealth seeks a Gelfgatt order compelling a defendant to decrypt an electronic device by entering a password, art. 12 requires that, for the foregone conclusion to apply, the Commonwealth must prove beyond a reasonable doubt that the defendant knows the password.”

With regard to question 2, Justice Kafker wrote: “The defendant’s possession of the phone at the time of his arrest, his prior statement to police characterizing the LG phone’s telephone number as his telephone number, the LG phone’s subscriber information and CSLI records, and Sara’s statements that she communicated with the defendant by contacting the LG phone, taken together with the reasonable inferences drawn therefrom, prove beyond a reasonable doubt that the defendant knows the password to the LG phone. Indeed, short of a direct admission, or an observation of the defendant entering the password himself and seeing the phone unlock, it is hard to imagine more conclusive evidence of the defendant’s knowledge of the LG phone’s password. The defendant’s knowledge of the password is therefore a foregone conclusion and not subject to the protections of the Fifth Amendment and art. 12.”

With regard to question 3, Justice Kafker wrote: “Although some, if not all, of the additional information included in its renewed motion may very well have been available to the Commonwealth at the time it filed its initial motion, in light of the nature and purpose of Gelfgatt motions and the circumstances of this case, the judge erred in concluding that he need not consider the additional information “[a]bsent a showing of new evidence not otherwise available to the Commonwealth.” The motion judge therefore abused his discretion in denying the Commonwealth’s renewed Gelfgatt motion.”

As a result, the motion judge’s denial of the Commonwealth’s renewed Gelfgatt motion was reversed, and the case was remanded to the Superior Court for entry of an order compelling the defendant to enter the password into the cell phone

Justice J. Lenk, while concurring with the decision, also said this: “The court’s decision today sounds the death knell for a constitutional protection against compelled self-incrimination in the digital age. After today’s decision, before the government may order an individual to provide it with unencrypted access to a trove of potential incriminating and highly personal data on an electronic device, all that the government must demonstrate is that the accused knows the device’s passcode. This is not a difficult endeavor, and in my judgment, the Fifth Amendment and art. 12 demand more. That is, before the government may compel an accused’s assistance in building a case against that accused, the government must demonstrate that it already knows, with reasonable particularity, of files on the device relevant to the offenses charged, and that the defendant knows the passcode to unlock them. Because I conclude that the government here met those burdens, I join in the court’s result.”

So, what do you think?  Should defendants be ordered to provide their passcodes, even if it leads to incriminating evidence against them?  Please let us know if any comments you might have or if you’d like to know more about a particular topic.

Case opinion link courtesy of eDiscovery Assistant.

Sponsor: This blog is sponsored by CloudNine, which is a data and legal discovery technology company with proven expertise in simplifying and automating the discovery of data for audits, investigations, and litigation. Used by legal and business customers worldwide including more than 50 of the top 250 Am Law firms and many of the world’s leading corporations, CloudNine’s eDiscovery automation software and services help customers gain insight and intelligence on electronic data.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.